One of the bills is H.B. No. 4518, cited as the Texas Consumer Privacy Act (Texas CPA), and the other is H.B. No. 4390, cited as the Texas Privacy Protection Act (TPPA).
The Texas Consumer Privacy Act (Texas CPA), is very similar to California’s Consumer Privacy Act (CCPA), and would apply to companies that do business and collect consumer data in Texas, and:
Have a gross annual revenue that exceeds USD 25 million (this number to be adjusted by the Texas Attorney General every other year as needed); or
Buy, sell, or receive the personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
Derive 50% or more of their annual revenue from selling consumer personal information.
Any business that is controlled by an entity that meets the above requirements is also subject to the proposed legislation.
Some highlighted consumer rights in this proposed legislation include:
A right to disclosure from the business of the personal information collected. Businesses must respond to such request with the source of the collected information, the business or commercial purpose of the collection or selling of this information, and with what third parties this information has been shared.
A right to deletion of the consumer’s personal information collected by the business, with some exceptions.
A right to disclosure of the type of personal information sold by the business and to whom it was sold.
A right to opt out of the sale of personal information.
A requirement for the business to provide a disclosure of the type of and purpose for personal information that is collected prior to collection.
If passed, the Texas CPA would go into effect on September 1, 2020. Civil penalties for violations would be USD 2,500 per violation or, if the violations are intentional, USD 7,500 per violation.
The other bill, the Texas Privacy Protection Act (TPPA), is concerned with processing and retention of personal identifying information.
The two laws differ in many ways, but contain some similarities, including:
Types of businesses governed by the bill are almost identical.
The state Attorney General is in charge of drafting and implementing rules for both proposed laws.
Both contain a requirement to disclose the type of personal information collected/processed and how the information is used prior to collection of such information.
Some highlights of TPPA requirements include that it:
Applies only to information that is collected electronically (over the internet, other digital network, or computing device used by an end user).
Requires explicit consent for processing the personal identifying information from the individual whose information is being collected.
Only allows a business to process personal identifying information if the business is required to do so by law.
Requires the development and implementation of a data security program and accountability program to ensure compliance with the bill’s requirements.
Requires that the business stop processing personal identifying information when the individual closes their account and delete such information within 30 days of account closure, unless a longer retention period is required by law.
If passed, this bill would take effect on September 1, 2019 and carry a civil penalty of USD 10,000 per violation, not to exceed a total amount of USD 1 million.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now